Web Services and Encription

Posted on 2002-07-18
Last Modified: 2010-05-02
I have a few public web methods that can be called by anyone on the internet using SOAP. The only security I've added is a username and password that is embedded in the XML that is passed in as a parameter to the web methods. I want to make my methods more secure by encripting the password, but I don't think that one way encription will do the trick if someone was to intercept my message. The web service has no knowledge of the callers, it only knows to validate the username and password combination.

Any ideas?
Question by:alaplume
  • 4
LVL 17

Expert Comment

ID: 7162523
You could encrypt the password using the Session ID as a key for the encryption engine.

Do you ned a simple encryption engine?
LVL 17

Accepted Solution

inthedark earned 100 total points
ID: 7162593
I expect that you have a good reason for not using HTTPS?

Here is a simple but effective encrypt/decrypt routine:

Hope this helps.....inthedark... :~)

Option Explicit

Private Sub Form_Load()

Dim m$
Dim l$
Dim password As String

m$ = "Mary had a little lamb"

password = "NICK WAS HERE"
Dim e$

e$ = Encrypt(m$, password)
l$ = Decrypt(e$, password)

If l$ <> m$ Then
   MsgBox "Stupid idea idea does not work"
   MsgBox "Good idea idea it works: " + vbCrLf + m$ + vbCrLf + "Came back to: " + l$, vbExclamation, "First Test"
End If

' now the real test

Dim c As Long
m$ = ""
For c = 0 To 255
   m$ = m$ + Chr$(c)
Next c
l$ = Decrypt(Encrypt(m$, password), password)
If l$ <> m$ Then
   MsgBox "Stupid idea it does not work", vbExclamation, "Second Test"
   MsgBox "Good idea it works very well"
   Me.AutoRedraw = True
   Me.Print "Good idea it works very well"
End If

End Sub

Public Function Encrypt(SourceData As String, password As String) As String

Dim S$
S$ = Space$(Len(SourceData))
If Len(S$) = 0 Then Exit Function

Dim PC As Long
Dim LC As Long

For LC = 1 To Len(S$)
   PC = PC + 1
   If PC > Len(password) Then
       PC = 1
   End If
   Mid$(S$, LC, 1) = Chr(Asc(Mid(SourceData, LC, 1)) Xor Asc(Mid$(password, PC, 1)))

Encrypt = S$

End Function

Public Function Decrypt(EncryptedData As String, password As String) As String

Decrypt = Encrypt(EncryptedData, password)

End Function

LVL 17

Expert Comment

ID: 7162660
The problem with using embedded encryption is that the client side needs to encrypt the data which means that you have to embed the encryption source code in the web page.

It would be better to work like pop3 server authentication. How this works is the when the client attaches to the server the server hands the client a number.  The client uses an encryption routine which minces the password and the number together to create a long string.  The server knows which number he gave the client and the client's password so he can encrypt the password in the same way and compare the encrypted result with the result from the client.  I have a C DLL which uses something called MD5. Once encrypted by MD5 I don't think there is a way of decrypting it.

So the only way to make it work is for each client to have an Activex encryption routine like MD5 which is a one way only encryption.

In your case you can generate a new Key for each new session.  A hacker would always be given a new key and therefore could not benefit by sampling the conversation between host and client.

So all you have to do is work out how to save and utilise and ActiveX on each client's system.

I think it would be a lot easier to spend a few dollars and purchase an SSL key from, (or some other company), you could even create your own SSL key free.

It would be interesting to see other viewpoints on this issue.

ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

LVL 28

Expert Comment

ID: 7162776
"Build an XMLDOM - Safe DES CryptoStream Class Library in VB.NET" 

Author Comment

ID: 7212058
As it turns out, I can use https after all!
LVL 17

Expert Comment

ID: 7212759
I am glad!

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction In a recent article ( for the Excel community, I showed an improved version of the Excel Concatenate() function.  While writing that article I realized that no o…
Introduction While answering a recent question about filtering a custom class collection, I realized that this could be accomplished with very little code by using the ScriptControl (SC) library.  This article will introduce you to the SC library a…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question